6 matches found
CVE-2026-30845
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...
EUVD-2026-10063
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...
CVE-2025-65779
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value Boards.allow returns true without verifying userId, allowing arbitrary reordering of boards...
CVE-2025-65779
Wekan up to version 18.15 is affected; fixed in 18.16. An unauthenticated attacker can update a board's sort value because Boards.allow returns true without verifying userId, enabling arbitrary reordering of boards. Affected: Wekan (Open Source Kanban board) prior to 18.16. Impact: potential alte...
CVE-2025-65779
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value Boards.allow returns true without verifying userId, allowing arbitrary reordering of boards...
CVE-2025-65782
Wekan up to v18.15 is affected by an authorization flaw in card update handling that lets board members or other authenticated users add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting. The issue is fixed in v18.16. Affected compone...